Jump to content

Admin Restrict Branch


adrian

Recommended Posts

Hi everyone,

Some critical updates this morning:

1) The module stopped doing anything in recent versions of PW 3 - I don't exactly when, but this is now fixed.

2) I also added support for restricting the new Pages > Tree dropdown menu that was added in 3.0.55

Please let me know if you find any problems with these changes or if you find any other situations where the module is no longer working. Given the rapid development of new ways to access the page tree that are being added to PW, I strongly recommend thoroughly testing your site if this module is protecting critical info from certain users. Hopefully everything is already taken care of for the current PW dev version, but with the UiKit admin theme, there could be possible breaks.

Thanks for testing and letting me know!

  • Like 4
Link to comment
Share on other sites

6 hours ago, PWaddict said:

@adrian Is it possible with this module to hide specific pages under home or I should stay with the hardcoded HideOtherUserPages module?

This module is for restricting users to a single branch of the page tree rather than hiding various ones throughout the entire tree. You'll need one of those other options for that. Maybe a module could be put together with more flexibility, but there are lots more issues when hiding specific pages.

Link to comment
Share on other sites

1 hour ago, adrian said:

This module is for restricting users to a single branch of the page tree rather than hiding various ones throughout the entire tree. You'll need one of those other options for that. Maybe a module could be put together with more flexibility, but there are lots more issues when hiding specific pages.

I selected Specified Branch Parent and then on the user's profile field I selected the Home branch. Then on the Branch edit exclusions I selected a page under the Home that I want to hide but it's still visible. What am I missing?

Link to comment
Share on other sites

5 minutes ago, PWaddict said:

I selected Specified Branch Parent and then on the user's profile field I selected the Home branch. Then on the Branch edit exclusions I selected a page under the Home that I want to hide but it's still visible. What am I missing?

Sorry, I think you have misunderstood how this works. If you are using the "Specified Branch Parent" - that is where you select the branch that you want the user restricted to. The "Branch Edit Exclusions" are just for things like external PageTable branches etc that the user still needs edit access to, even though they are outside their restricted branch.

Does that clear things up?

Link to comment
Share on other sites

1 hour ago, adrian said:

Sorry, I think you have misunderstood how this works. If you are using the "Specified Branch Parent" - that is where you select the branch that you want the user restricted to. The "Branch Edit Exclusions" are just for things like external PageTable branches etc that the user still needs edit access to, even though they are outside their restricted branch.

Does that clear things up?

Ok now I understand, thanks. I will stay then with the hardcoded HideOtherUserPages module.

Link to comment
Share on other sites

  • 3 weeks later...

@adrian

I am working on a multisite project using single database. I forked multisite.module by Antti and another fork by Soma and started to adapt it for my needs. Luckily I found your module. I tried it out and it fits 90% to my needs and already saved a lot of work. Thanks for this great module. :rolleyes:

To get it working properly I need to make some changes. I think these changes could also be an enhancement of your module and you maybe want to take it.

First of all I need an option to set  branchRootParentId via hook which is currently not possible since the related function isn't hookable and private too.
It would be nice if you could change the visibility of the function getBranchRootParentId() to protected and make it hookable.
As far I can see there is no reason (security) to refrain from this.

Furthermore there are 2 unexpected behaviours or potential issues:

  1. In Processwire the breadcrumb 'Pages' is prepended to breadcrumbs in the PageEdit area of the root page only. @see ProcessPageEdit::setupBreadcrumbs()
    This behaviour is different in your module. The breadcrumb is prepended in any Editor not only for the branchRootParent since $this->wire('breadcrumbs')->count() returns always 0. Is this wanted like that?
    I would prefer the default behavior here. I found a working solution. If you like I could post an issue on github.
     
  2. The BranchRootParent is not prepended to the Pagetree under PagesTab.
    ProcessPageList::executeNavJSON() doesn't prepend branchRootParent here. This couldn't be solved inside your module.
    I can see a PW issue here. ProcessPageList::executeNavJSON() should use $config->rootPageID instead of hardcoded 1

    Possible Solution
    // in ProcessPageList::executeNavJSON
    // Line 489 from
    if(!$parentID) $parentID = 1;
    // to 
    if(!$parentID) $parentID = $config->rootPageID;
    
    // Line 494 from
    if($parentID === 1 && $parentViewable) $items->prepend($parent);
    // to
    if($parentID === $config->rootPageID && $parentViewable) $items->prepend($parent);
    
    // Line 523 from
    $numChildren = $id > 1 ? $page->numChildren : 0;
    // to
    $numChildren = $id != $config->rootPageID ? $page->numChildren : 0;
    
    // Line 551 from
    if($page->id > 1 && $page->numChildren) {
    // to
    if($page->id != $config->rootPageID && $page->numChildren) {
    
    //in your module
    public function ready() {
    $this->wire('config')->rootPageID = $this->branchRootParentId;
    // ...
    }

 

  • Like 2
Link to comment
Share on other sites

  • 2 weeks later...
On 5/7/2017 at 5:34 AM, kixe said:

@adrian

I am working on a multisite project using single database. I forked multisite.module by Antti and another fork by Soma and started to adapt it for my needs. Luckily I found your module. I tried it out and it fits 90% to my needs and already saved a lot of work. Thanks for this great module. :rolleyes:

 

Working on a similar project, a kind of site parameterised site cloner. All in one PW install for maintenance commodity. Would love to see the outcome of this discussion :)

Link to comment
Share on other sites

  • 1 month later...

Hi @kixe - thanks for all your thoughts here. Hopefully you know that I have been away and not just ignoring your post!

On 5/7/2017 at 3:34 AM, kixe said:

First of all I need an option to set  branchRootParentId via hook which is currently not possible since the related function isn't hookable and private too.
It would be nice if you could change the visibility of the function getBranchRootParentId() to protected and make it hookable.

The latest version has the getBranchRootParentId function hookable.

 

On 5/7/2017 at 3:34 AM, kixe said:

In Processwire the breadcrumb 'Pages' is prepended to breadcrumbs in the PageEdit area of the root page only. @see ProcessPageEdit::setupBreadcrumbs()
This behaviour is different in your module. The breadcrumb is prepended in any Editor not only for the branchRootParent since $this->wire('breadcrumbs')->count() returns always 0. Is this wanted like that?
I would prefer the default behavior here. I found a working solution. If you like I could post an issue on github.

The reason I did this is because when a user is restricted to a branch of the page tree, there is no "Home" breadcrumb, so I added this to give them easy access back to the root of the pages they have access to. I am curious about the working solution you have though - maybe it takes care of what we both want?

 

On 5/7/2017 at 3:34 AM, kixe said:

The BranchRootParent is not prepended to the Pagetree under PagesTab.
ProcessPageList::executeNavJSON() doesn't prepend branchRootParent here. This couldn't be solved inside your module.
I can see a PW issue here. ProcessPageList::executeNavJSON() should use $config->rootPageID instead of hardcoded 1

I think that regardless of the interaction with this, module those "1" values shouldn't be hardcoded in the PW as you noted - maybe you could submit a PR to Ryan to fix those? As for the actual prepending of BranchRootParent to the Pagetree under PagesTab, do you mean here:

595d410885623_ScreenShot2017-07-05at12_41_40PM.png.c958f147dce322a2066dd0a1bfe6c4a7.png

Test One and Test Two and children of the BranchRootParent and as you note, the BranchRootParent itself is not shown. Not critical, but I agree it would be nicer if it was, but from some quick looking around I don't think it's going to be possible at the moment without manually prepending the BranchRootParent to the markup returned by  ProcessPageList::executeNavJSON - certainly possible, but not pretty.

Any thoughts on my comments?

I'd certainly like to help as much as possible for you on this, so just let me know.

Cheers,
Adrian

 

  • Like 1
Link to comment
Share on other sites

@adrian First of all: Welcome back!

5 hours ago, adrian said:

The latest version has the getBranchRootParentId function hookable.

Great, Thanks!

Check out my fork to see the changes I made.
https://github.com/kixe/AdminRestrictBranch/tree/kixe

Everything is working pretty good together with the small changes in ProcessPageList::executeNavJSON()

6 hours ago, adrian said:

I think that regardless of the interaction with this, module those "1" values shouldn't be hardcoded in the PW as you noted - maybe you could submit a PR to Ryan to fix those?

Ryan is very busy and there are some other unsolved issues I am interested in. Furthermore there are many other places in the core where '1' is used instead of $config->rootPageID. I think it should be consistent but its not so easy to change this.

 

Link to comment
Share on other sites

  • 1 year later...

@adrian Thanks for this awesome module!

Until now, I didn't have a real use-case for this module, but for an upcoming project I think I might use it.

Is it possible to define more than one single branch tree? Let's say I have three areas (parents) I want to allow user x to see/edit, would I define this via "Branch parent to restrict access to"? Is that the way to go?

Link to comment
Share on other sites

Just now, dragan said:

Is it possible to define more than one single branch tree? Let's say I have three areas (parents) I want to allow user x to see/edit, would I define this via "Branch parent to restrict access to"? Is that the way to go?

Unfortunately that's not possible with the way this module works.

There is lots of discussion floating around about why it's difficult to hide parts of the page tree - have a read starting here: https://processwire.com/talk/topic/1176-hiding-uneditable-pages-from-users/?do=findComment&comment=84916 - there are links to some different gists that might be helpful for you.

  • Like 1
Link to comment
Share on other sites

  • 1 month later...
1 minute ago, Jonathan Lahijani said:

Great module @adrian.

For the Custom PHP Code option, can you make it also has access to the $pages variable (in addition to just the $user variable)?  I have a use case for it and it would be helpful.  I modified the module to include it and it worked fine for me.

Glad you like it 🙂

I don't see any reason not to. Would you mind submitting a PR? Please bump the version number as well so I can just accept and it's done.

Thanks!

  • Like 1
Link to comment
Share on other sites

I was not totally serious and it was more targeting @Jonathan Lahijani and meaning something like: Why not use the functions api when it is only one setting away and does not need any modifications to any module? $config->useFunctionsAPI = true, that's it.

22 minutes ago, adrian said:

I just haven't got into using it yet - maybe I should?

Of course that's everybody's own decision, but I also started using it quite late and now I really like it. It makes things easier, shorter and better to read:

  public function executeTransactions() {
    $form = $this->modules->get('InputfieldForm');

    $f = $this->modules->get('InputfieldRockGrid');
    $f->name = 'transactions';
    $f->label = 'Overview of Transactions';
    $f->ajax = true;
    $form->add($f);

    return $form->render();
  }

I also prefer the array syntax now for adding fields:

  public function executeEfforts() {
    $form = modules('InputfieldForm');

    $form->add([
      'type' => 'RockGrid',
      'name' => 'efforts',
      'label' => 'Overview of Efforts',
      'ajax' => true,
    ]);

    return $form->render();
  }

To answer your question: If you've ever come across errors like "$pages/$modules/$users is not defined" or the like I'd suggest trying it out 😉 

Using VSCode + Intelephense I also get very nice code completion, so I don't see any reason not to use it. Only thing bothering me is when I am developing public modules I need to remember not to use the functions API as I can't assume everybody is using it.
iKum9eU.png 

zobNtEC.png 

ynKTA8F.png that's a lot worse IMHO 🙂 

  • Like 1
Link to comment
Share on other sites

  • 6 months later...
On 1/19/2016 at 2:26 AM, adrian said:

Sorry it's taken so long to get to, but the latest version of the module now has a new config setting to optionally exclude pages outside the restricted branch from the search results of pages.

I tried the latest version of this wonderful module today: I activated the module's config setting "Restrict from search results". After that, I logged in with a user who is restricted to a certain branch and tried to find some pages outside the restricted branch.

I used the search box in the upper right corner of the PW admin and was surprised to see that results are found outside the restricted branch.

The quoted sentence above is related to a search by Lister, I guess?

Link to comment
Share on other sites

@titanium - this used to work as expected - ie these pages could not be found via the search. I just took a look and it appears that relatively recent changes to this live search feature means that now other results are returned, but note that the links from these results go to view the returned pages, rather than allowing the user to edit them. So I think the main functionality has not been compromised.

Remember that this module is not designed to control view permissions, just editing.

  • Thanks 1
Link to comment
Share on other sites

8 hours ago, adrian said:

I just took a look and it appears that relatively recent changes to this live search feature means that now other results are returned, but note that the links from these results go to view the returned pages, rather than allowing the user to edit them.

Yeah, these view links are not helpful IMO. Related request: https://github.com/processwire/processwire-requests/issues/274

Edit: just noticed that you already thumbs-upped that. 🙂

  • Like 1
Link to comment
Share on other sites

  • 2 months later...

IMPORTANT NOTICE!!!

Hi everyone. I just discovered something pretty important with this module.

If you are using the Role Name or Custom PHP Code option and matching a page name or path, you MUST be sure to check "No Access" for the "If no match, give all access or no access?" setting. If you don't do this, a site editor could change the name of their branch parent, which would result in no match and hence they could gain access to the entire page tree.

I am tempted to actually remove these two matching options to improve security - is anyone using them?

To make life easier, I have added a new "Role Specified Branch Parent" option which allows you to select a branch parent on a per role basis, rather than per user. I think in most cases this is the best option to use.

image.png.3d9d6575574a6ba68e4c8487707c25cf.png

Please be sure to check your settings and if you can please switch to the "Role specified" or "User specified" options in the new version.

Let me know if you have any questions or concerns.

Thanks,
Adrian

  • Like 3
Link to comment
Share on other sites

  • 4 months later...
43 minutes ago, nabo said:

Hi

is it normal that if I add two different roles (that have different restricted branch) to a user, when I log in I can see only one branch?

Yep, because of the way this module works, it can only limit to one branch of the tree. This limit affects all places where the user could view and/or edit pages outside that branch. If you want to give access to multiple branches you'll need a different approach - this thread might be helpful: 

 

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Similar Content

    • By monollonom
      PageMjmlToHtml
      Github: https://github.com/romaincazier/PageMjmlToHtml
      Modules directory: https://processwire.com/modules/page-mjml-to-html/
      A module allowing you to write your Processwire template using MJML and get a converted HTML output using MJML API.
      This is considered to be in alpha and as such needs some testing before being used in production!

      About
      Created by Mailjet, MJML is a markup language making it a breeze to create newsletters displayed consistently across all email clients.
      Write your template using MJML combined with Processwire’s API and this module will automatically convert your code into a working newsletter thanks to their free-to-use Rest API.
      Prerequisite
      For this module to work you will need to get an API key and paste it in the module’s configuration.
      Usage
      Once your credentials are validated, select the template(s) in which you’re using the MJML syntax, save and go visualize your page(s) to see if everything’s good. You will either get error/warning messages or your email properly formatted and ready-to-go.
      From there you can copy/paste the raw generated code in an external mailing service or distribute your newsletter using ProMailer.
      Features
      The MJML output is cached to avoid repetitive API calls Not cached if there are errors/warnings Cleared if the page is saved Cleared if the template file has been modified A simple (dumb?) code viewer highlights lines with errors/warnings A button is added to quickly copy the raw code of the generated newsletter Not added if the page is rendered outside of a PageView Only visible to users with the page’s edit permission A shortcut is also added under “View” in the edit page to open the raw code in a new tab Multi-languages support
      Notes
      The code viewer is only shown to superusers. If there’s an error the page will display:
      Only its title for guests Its title and a message inviting to contact the administrator for editors If you are using the markup regions output strategy, it might be best to not append files to preserve your MJML markup before calling the MJML API. This option is available in the module’s settings.
    • By Marco Ro
      Hi guys!
      I'm a bit anxious because this is the first module I present! (beta modulo) But I will finally be able to share something with the community too! :)
      This is a BETA version of the PayPal payment system called: PayPal Commerce Platform.
      It is an advanced system (Business Pro account is needed) that brings various benefits in terms of fees and above all integrates direct payment with credit/debit cards. 
      The module integrates with Padloper 0.0.2, which is the current installation I'm using.
      This system integrates the classic PayPal buy button, the alternative or local payment method and the new payment system: credit/debit cards that doesn't go through the PayPal account. It is a Stripe-style payment, it connects directly with the bank and integrates 3D security validation.
      I say that it is a BETA because this module currently only works with Sandbox account, to put it live you need to change API url manually (manually for the moment).
      Because this module is not ready for live:
      I would like to have your opinion on how I built the module (is the first one I do). I don't want to share something that is not fish but I need a comparison with someone more experienced than me, for be sure that this is the best way to code the module.
      If you want to try this I created a git, you will find all the instructions for installation and correct operation. (Git has a MIT licensed)
      https://github.com/MarcooRo/processwire-PayPal-Commerce-Platform I hope I did something that you guys can like :)
    • By monollonom
      (once again I was surprised to see a work of mine pop up in the newsletter, this time without even listing the module on PW modules website 😅. Thx @teppo !)
      FieldtypeQRCode
      Github: https://github.com/romaincazier/FieldtypeQRCode
      Modules directory: https://processwire.com/modules/fieldtype-qrcode/
      A simple fieldtype generating a QR Code from the public URL of the page, and more.
      Using the PHP library QR Code Generator by Kazuhiko Arase.

      Options
      In the field’s Details tab you can change between .gif or .svg formats. If you select .svg you will have the option to directly output the markup instead of a base64 image. SVG is the default.
      You can also change what is used to generate the QR code and even have several sources. The accepted sources (separated by a comma) are: httpUrl, editUrl, or the name of any text/URL/file/image field.
      If LanguageSupport is installed the compatible sources (httpUrl, text field, ...) will return as many QR codes as there are languages. Note however that when outputting on the front-end, only the languages visible to the user will be generated.
      Formatting
      Unformatted value
      When using $page->getUnformatted("qrcode_field") it returns an array with the following structure:
      [ [ "label" => string, // label used in the admin "qr" => string, // the qrcode image "source" => string, // the source, as defined in the configuration "text" => string // and the text used to generate the qrcode ], ... ] Formatted value
      The formatted value is an <img>/<svg> (or several right next to each other). There is no other markup.
      Should you need the same markup as in the admin you could use:
      $field = $fields->get("qrcode_field"); $field->type->markupValue($page, $field, $page->getUnformatted("qrcode_field")); But it’s a bit cumbersome, plus you need to import the FieldtypeQRCode's css/js. Best is to make your own markup using the unformatted value.
      Static QR code generator
      You can call FieldtypeQRCode::generateQRCode to generate any QR code you want. Its arguments are:
      string $text bool $svg Generate the QR code as svg instead of gif ? (default=true) bool $markup If svg, output its markup instead of a base64 ? (default=false) Hooks
      Please have a look at the source code for more details about the hookable functions.
      Examples
      $wire->addHookAfter("FieldtypeQRCode::getQRText", function($event) { $page = $event->arguments("page"); $event->return = $page->title; // or could be: $event->return = "Your custom text"; }) $wire->addHookAfter("FieldtypeQRCode::generateQRCodes", function($event) { $qrcodes = $event->return; // keep everything except the QR codes generated from editUrl foreach($qrcodes as $key => &$qrcode) { if($qrcode["source"] === "editUrl") { unset($qrcodes[$key]); } } unset($qrcode); $event->return = $qrcodes; })
    • By Sebi
      AppApiFile adds the /file endpoint to the AppApi routes definition. Makes it possible to query files via the api. 
      This module relies on the base module AppApi, which must be installed before AppApiFile can do its work.
      Features
      You can access all files that are uploaded at any ProcessWire page. Call api/file/route/in/pagetree?file=test.jpg to access a page via its route in the page tree. Alternatively you can call api/file/4242?file=test.jpg (e.g.,) to access a page by its id. The module will make sure that the page is accessible by the active user.
      The GET-param "file" defines the basename of the file which you want to get.
      The following GET-params (optional) can be used to manipulate an image:
      width height maxwidth maxheight cropX cropY Use GET-Param format=base64 to receive the file in base64 format.
    • By MarkE
      This fieldtype and inputfield bundle was built for storing measurement values within a field, rendering them in a variety of formats and converting them to other units or otherwise modifying them via the API.
      The API consists of a number of predefined functions, some of which include...
      render() for rendering the measurement object, valueAs() for converting the value to another unit value, convertTo() for converting the whole measurement object to different units, and add() and subtract() for for modifying the stored value by the value (converted as required) in another measurement. In the admin the inputfield includes a checkbox (which can be optionally disabled) for converting values on page save. For an example if a value was typed in as centimeters, the unit was changed to metres, and the page saved with this checkbox selected, said value would be automatically converted so that e.g. 170 cm becomes 1.7 m.

      A simple length field using Fieldtype Measurement and Inputfield Measurement.
      Combination units (e.g. feet and inches) are also supported.
      Please note that this module is 'proof of concept' at the moment - there are limited units available and quite a lot of code tidying to do. More units will be added shortly.
      See the GitHub at https://github.com/MetaTunes/FieldtypeMeasurement for full details and updates.
×
×
  • Create New...